Sensor Network Attack Synthesis against Fault Diagnosis of Discrete Event Systems

This paper investigates the problem of synthesizing network attacks against fault diagnosis in the context of discrete event systems (DESs). It is assumed that the sensor observations sent to the operator that monitors a system are tampered with by an active attacker. We first formulate the process of online fault diagnosis under attack. Then, from the attack viewpoint, we define a sensor network attacker as successful if it can degrade the fault diagnosis in the case of maintaining itself as undiscovered by the operator. To verify such an attacker, an information structure called a joint diagnoser (JD) is proposed, which describes all possible attacks in a given attack scenario. Based on the refined JD, i.e., stealthy joint diagnoser (SJD), we present an algorithmic procedure for synthesizing a successful attacker if it exists.


Introduction
With the advancement in computation and communication technologies, cyber-physical systems (CPSs) have emerged as the new generation of engineering systems and computation devices embedded within physical dynamics [1][2][3][4][5].Examples of CPSs include sensor networks, networked computer systems, autonomous vehicles, etc. Usually, the undesired behavior of CPS may be caused by the occurrence of component faults.Hence, we wish that a fault can be diagnosed after its occurrence based on data collected by sensors.In a CPS, the transmission of data information relies on communication networks, which may introduce vulnerabilities to cyber-attacks.
In this paper, we study the behavior of a CPS within the framework of discrete event systems (DESs) [6].One significant advantage of the DES approach to fault diagnosis is that it is a model-based approach.Therefore, DES models naturally capture faults as abrupt events in systems, which facilitates the analysis of faulty behaviors of the system based on limited observations.Another motivation is that, unlike complex models or large data-driven models, DES modeling offers an opportunity to make efficient decisions over an abstract discrete decision space.Specifically, a DES is an event-driven model-based formalism that can provide a time-abstract model for complex systems.
There are two main approaches and tools available for the fault diagnosis of a DES, i.e., automata theory [7][8][9] and Petri nets [10][11][12][13].A comprehensive survey can be found in [14].Within the context of automata theory, the underlying structure of a DES is that of a finite state automaton.This will be formally defined in Section 3. Online fault diagnosis in a DES aims to perform model-based inferencing at runtime based on the current observations, and determines if a fault event has occurred or not in the past.In order to achieve this, a process called a diagnoser is proposed in the seminal work [7], which associates to each observed word of events a diagnosis state, such as "negative", "positive", or "uncertain".

Related Work
The related literature in the context of robust fault diagnosis against disruptions in the communication channels includes, e.g., [15][16][17].For a survey of the work in this domain, we refer to [17].These works are concerned with the loss of observations, i.e., any event in a certain subset of the observable event set may become unobservable due to sensor failures or communication channel constraints.It is shown in [17] that, based on a general diagnosis framework that takes sensor failures into account, a procedure of online diagnosis can be presented.However, such disruptions are not necessarily caused by active attacks.
Motivated by this, our focus is on a specific class of cyber-attacks called sensor network attacks, which may potentially inject false network signals into the communication channels between sensors and the system operator, as shown in Figure 1.As will be clear in the context, in the worst-case scenario, due to the impact of an attacker, the operator cannot diagnose the fault occurrence as it should.Indeed, sensor network attacks have been investigated in the context of attack detection [18,19], state estimation [20,21], and supervisory control [22,23].However, very few studies have been devoted to fault diagnosis under attack.Apart from our earlier work [24], two recent contributions in this context are [25,26].In these works, from a defense viewpoint, the authors aim to capture the fact that fault diagnosis can be properly performed against malicious attacks.In this paper, we study from the attacker's viewpoint, which allows us to determine conditions under which the attacker is harmful and stealthy and synthesize a strategy to satisfy those conditions.Our objective is to verify a successful attacker that can achieve two goals: (i) induce the operator to no longer diagnose the fault occurrence, guaranteeing its harmfulness; (ii) at the same time, maintain itself as undetected by the operator, guaranteeing its stealthiness.To this end, we first propose a bipartite diagnoser called a joint diagnoser (JD) that embeds all possible attacks in a given attack scenario.To capture stealthy attacks only, a refined JD, i.e., stealthy joint diagnoser (SJD), is presented, which finally provides a necessary and sufficient condition for the existence of a successful attacker.

Sensors
Another contribution of this work is the development of a successful attack synthesis algorithm.To ensure stealthiness, an attacker must consider the race between inserted events and internal system events.In essence, when synthesizing successful attacks, an attack event must be inserted at the desired time.In order to capture this race, we define a pre-empting state of the SJD as those states corresponding to the case where the internal system events are pre-empted by the inserted events.Based on this, a successful attack synthesis algorithm is finally proposed.By providing a general synthesis approach, our ultimate goal is to understand what kinds of attacks systems are not robust to and how to reduce their impact on diagnosis estimation performance.In Table 1, we compare the proposed approach with previous studies.Compared with our conference paper [24] that introduced the diagnosis setting without providing proofs of the results, we here provide formal proofs and detailed examples.Furthermore, we present an approach for online synthesizing a successful attacker.

Finite-State Automata
We first review some common notations of DESs used throughout this paper; the reader is referred to [6] for more details.It is assumed that a DES to be diagnosed is modeled as a finite-state automaton (automaton for short) G = (Q, Σ, δ, q 0 ), where Q is the finite set of states, Σ is the finite set of events, δ : Q × Σ → Q is the partial transition function, and q 0 ∈ Q is the initial state.Suppose that set Σ is divided into the observable event set Σ o and the unobservable event set Σ uo .The set of active events at state q is defined as Γ(q) = {σ ∈ Σ | δ(q, σ)!}, where "!" means "defined".The language generated by G, denoted by L(G) or simply L, is defined as L = {s ∈ Σ * | δ(q 0 , s)!}, where Σ * denotes the Kleene closure of Σ.Let s denote a word of L. The set of the prefixes of s is denoted as The natural projection P : Σ * → Σ * o is defined as (where ε is the empty word) The inverse projection P −1 : Σ * o → 2 Σ * is defined as P −1 (w) = {s ∈ L(G) | P(s) = w}, i.e., P −1 (w) consists of all words s in L(G) whose observations are w. Let 2 and σ / ∈ Σ 1 ; otherwise, it is undefined.In the definition of G 1 ∥ G 2 , Ac(•) denotes the accessible part of an automaton.

Fault Diagnosis
In the literature of fault diagnosis in DESs, the unobservable event set Σ uo is further partitioned into the set of regular unobservable events Σ reg and the set of fault events set of all finite words in L that end with a fault event f .With some abuse of notation, In other words, an observation w is called normal if γ(w) = N since, in this case, no word producing w contains a fault; faulty if γ(w) = F since, in this case, all words producing w contain a fault; ambiguous otherwise.A standard way to compute the diagnosis function is by using a diagnoser.The diagnoser of G is defined as Its construction procedure is detailed in [6].By construction, it holds L(Diag(G)) = P(L(G)).The diagnoser state space Q d is a subset of 2 Q×{N,F} .The diagnoser allows one to associate every state to a diagnosis value γ(q d ) = γ(w), where q d = δ d (q d,0 , w).The diagnoser state q d is negative if γ(q d ) = N; positive if γ(q d ) = F; uncertain if γ(q d ) = U. Figure 2a shows a plant G, where Σ o = {a, b, d, e}, Σ uo = {c, f }, and Σ f = { f }.The corresponding diagnoser is shown in Figure 2b.

Sensor Network Attacks
We start by defining a system model to be diagnosed under attack depicted in Figure 3, where the shadowed block denotes a sensor network attacker that intervenes in the communication channels between the sensors and the operator.It is assumed that the attacker can compromise a subset of the sensor network channels.Specifically, it may implement two types of sensor network attacks: (i) Sensor Erasure attack (SE-attack), which erases some readings generated by the plant; (ii) Sensor Insertion attack (SI-attack), which inserts some fake readings that have not occurred in the plant.If a plant generates a word s ∈ Σ * , the attacker observes an original observation w = P(s) and then produces a corrupted observation w ′ .The operator computes diagnosis state γ(w ′ ) from the corrupted observation w ′ .To formally define the attack function in Figure 3, we denote by Σ era ⊆ Σ o (resp., Σ ins ⊆ Σ o ) the set of events subject to SE-attacks (resp., SI-attacks).Correspondingly, we define Σ − = {σ − | σ ∈ Σ era } as the set of erased events and Σ + = {σ + | σ ∈ Σ ins } as the set of inserted events.We also define Σ a = Σ o ∪ Σ + ∪ Σ − as the attack alphabet.Definition 1.Given a plant G with sets Σ ins and Σ era , an attack function ξ : P(L(G)) → Σ * a satisfies the following constraints:

G
( Statement (1) in Definition 1 implies that the attacker may insert an arbitrary word t ∈ Σ * + at the initial state before any generated word of G is observed.By Statement (2), the attacker cannot erase σ if σ does not belong to Σ era .However, it may insert an arbitrary word t ∈ Σ * + after σ.If an event σ ∈ Σ era occurs, the attacker may either erase σ or leave it intact, and then insert any arbitrary word t ∈ Σ * + .Compared with the nondeterministic attack function in [22], the attack function ξ in Definition 1 is deterministic; therefore, in order to provide different classes of attack strategies, we define the set of all possible attack functions depending on relativity to sets Σ era and Σ ins as "Ξ(Σ era , Σ ins )", abbreviated as Ξ.
An attack function ξ introduces an attack language, denoted as L(ξ, G) = {ξ(w) | w ∈ P(L(G))} (abbreviated as L(ξ)).Let w a ∈ L(ξ) be an attack word.Given an attack word w a , to describe the corrupted observation w ′ received by the operator, an operator mask P : Σ * a → Σ * o is defined as We now define two diagnosis functions on Σ a .The attacker diagnosis function γ att : , where w a = ξ(w); the operator diagnosis function γ opr : Σ * a → {N, F, U} is defined as γ opr (w a ) = γ(w ′ ), where w ′ = P(w a ).In this paper, a sensor network attacker is characterized by a corrupting function that takes an original observation w as input and produces a corrupted observation w ′ = ϕ(w) = P(ξ(w)) as output, as shown in Figure 3.We define L(ϕ, G) = P(L(ξ, G)), abbreviated as L(ϕ), as the corrupted language induced by function ϕ.The set of all possible corrupting functions on Σ era and Σ ins is defined as "Φ(Σ era , Σ ins )", abbreviated as Φ.

Problem Statement
In this section, we first state the fault diagnosis problem under attack as follows.
Problem 1. (Online diagnosis under attack) Given an attack word w a ∈ L(ξ), determine if the diagnosis states based on the corresponding w and w ′ are consistent.
In the worst-case scenario, a faulty observation w that allows for the detection of a fault (i.e., positive diagnosis state "F") can be corrupted into a normal or ambiguous observation corresponding to the absence of the fault (i.e., negative diagnosis state "N") or to an uncertain situation (i.e., uncertain diagnosis state "U").This leads to the notion of a harmful attacker, defined as follows.Definition 3.An attacker ϕ for a language L is said to be harmful if there exists an observation w ∈ P(L) with γ(w) = {F}, which may be corrupted into another observation w ′ = ϕ(w) and γ(w ′ ) ∈ {N, U}.
Under such a harmful attacker (that receives w), the occurrence of a fault is hidden from the operator (that perceives w ′ ); that is, a harmful attacker introduces a delay in the detection of the fault.Next, the stealthiness of an attacker is considered.To this end, we introduce an attack detection mechanism [20,22].If an attacker can always keep its attacks undiscovered by the operator during system execution, we call it stealthy.We now give the condition that implies the stealthiness of an attacker.Definition 4.An attacker ϕ for a language L is stealthy if L(ϕ) ⊆ P(L(G)).
The stealthiness of an attacker is ensured when any corrupted observation received by the operator is contained in the observed language of G. Associated with Definition 4 are two sets of words w ∈ Σ * a defined as follows.Given a plant G, the set of stealthy words on Σ a is defined as S s = {w a ∈ Σ * a | P(w a ) ∈ P(L(G))}, while the set of exposing words on Σ a is defined as S e = {w a σ ∈ Σ * a | w a ∈ S s , σ ∈ Σ a , w a σ / ∈ S s }.A stealthy word w a produces a corrupted observation w ′ = P(w a ) ∈ P(L(G)), which does not reveal the attacker's presence.On the contrary, an exposing word results in the exposure of the attacker at the last observable step.Finally, the ideal attacker that can achieve both goals is said to be successful.Finally, from the attack viewpoint, we formalize the successful attacker existence and synthesis problem.Problem 2. (Existence and synthesis of a successful attacker) Given a language L, determine whether there exists a successful attacker ϕ for L. If it exists, synthesize the successful attacker ϕ.

Attacker Diagnoser and Operator Diagnoser
In our previous work [24], we detail the constructions of two special diagnosers, called Attacker Diagnoser and Operator Diagnoser.The former diagnoser describes all attack words w a that can be generated under attack.The latter diagnoser describes how all words w a ∈ Σ * a are recognized by the operator.Starting from a diagnoser ), we build the following: ) through self-looping each state with all events in Σ + and then adding in parallel to each event σ ∈ Σ era the corresponding event ) through self-looping each state with all events in Σ − , then adding in parallel to each event σ ∈ Σ ins the corresponding event σ + ∈ Σ + , and finally adding a dump state q ∅ that is reached by all undefined transitions.
Proof.Consider first Statement (1).(⇐) By the construction of Diag att (G), given a word w ∈ L(Diag(G)) and ξ ∈ Ξ, there exists a corresponding attack word w a ∈ L(Diag att (G)) such that w a = ξ(w).(⇒) Consider a word w a ∈ L(Diag att (G)) that reaches a state Q d and only contains events in Σ, implying an original observation.At each state of Diag att (G), all events σ + are in a self-loop, which implies that w a can be corrupted by inserting a word of fake events in Σ ins .If the word w a is generated by executing a transition is executed corresponding to an attack that erases σ.Therefore, there exists a function ξ ∈ Ξ and an observation w ∈ L(Diag(G)) such that ξ(w) = w a .The proof of Statement (2) follows that of Statement (1).
By Statement (1) in Proposition 1, the language of the attacker diagnoser consists of all possible attack words w.According to Statement (2), the diagnosis state estimation of Diag att (G) based on w is the same as that of Diag(G) based on s, where w a = ξ(w).
Σ a , δ opr , q d,0 ) be the operator diagnoser.It holds that (1) L(Diag opr (G)) = S s ∪ S e ; (2) w a ∈ S s ⊆ L(Diag opr (G)) ⇒ (∃w ′ ∈ L(Diag(G)))[w ′ = P(w a )]; (3) ∀w a ∈ L(Diag opr (G)): if w a ∈ S s , δ opr (q d,0 , w a ) = δ d (q d,0 , P(w a )); if w a ∈ S e , δ opr (q d,0 , w a ) = q ∅ .Proof.Statement (1) is first considered.By construction the Diag opr (G), it includes all the words in S s ∪ S e .The following is to prove that all the words w a ∈ L(Diag opr (G)) either belong to S s or S e .Consider a word w a ∈ L(Diag opr (G)) that reaches a state q d ∈ Q d and only contains events in Σ o , implying an original observation received by the operator.At each state, all events σ − are in a self-loop, which corresponds to the generation of w a .By the definition of P, it holds that P(w a ) ∈ P(L(G)), i.e., w a ∈ S s .If the word w a is generated by executing a transition δ opr (q ′ d , σ + ) = q ′′ d with σ ∈ Σ ins , it may happen that the "parallel" transition δ att (q ′ d , σ) = q ′′ d is executed and thus P(w a ) ∈ P(L(G)), i.e., w ∈ S s .Then, if the word w a yields d ∅ , then P(w a ) / ∈ P(L(G)), i.e., w a ∈ S e , which completes the proof of Statement (1).The proofs of Statement ( 2) and (3) follow that of Statement (1).
By Statement (1) in Proposition 2, all words in S s and S e can be generated by Diag opr (G).By Statement (2), a word in S s generated by Diag opr (G) can correspond to a corrupted observation w ′ ∈ P(L(G)) recognized by the operator.Statement (3) implies that (i) the diagnosis state estimation of Diag opr (G) based on a stealthy word w a ∈ S s is the same as that of Diag(G) based on w ′ , where w ′ = P(w a ); (ii) all exposing words w a ∈ S e yield q ∅ .
As defined, every state of J-Diag(G) is a pair x = (q d , q d ).The states of J-Diag(G) can be partitioned into stealthy states and exposing states as follows.Definition 6.Given a joint diagnoser J-Diag(G) = (X, Σ a , δ a , x 0 ), the set of exposing states is defined as X e = {x = (q d , q d ) ∈ X | q d = q ∅ }; the set of stealthy states is defined as X s = X\X e .
If an exposing word w a ∈ S e yields an exposing state, we conclude that the attacker that produces w a is stealthy.However, if a stealthy word w a ∈ S s yields a stealthy state, it can only be inferred that the attacker producing w a is currently undiscovered.There is a case where, following the future evolution of G, the attacker will be inevitably discovered.This leads to the notion of a weakly exposing region, denoted as X we ⊇ X e , which can be computed iteratively by a procedure in [21].In the first iteration, The remaining iterations are executed similarly to Equation (4).We do not present the complete procedure here for the sake of brevity but illustrate it via Example 2. Dually, we define the strongly stealthy region as X ss = X\X we ⊆ X s .
Example 2. The joint diagnoser for the preceding G is shown in Figure 5, where the exposing states in X we are highlighted in brown while the stealthy states in X we are highlighted in gray.Let us focus on a stealthy state ({3F}, {1N, 2F}).In the case that the occurrence of event d will take ({3F}, {1N, 2F}) to an exposing state ({4F}, {q ∅ }), we find that i) d cannot be erased; ii) the inserted event e ∈ Σ ins will reach another exposing state ({3F}, {q ∅ }).By Equation ( 4), ({3F}, {1N, 2F}) ∈ X we holds.In plain words, once such a stealthy state is reached, all attempts of an attacker to prevent it from reaching a subsequent exposing state will fail., Definition 7. The stealthy joint diagnoser (SJD, for short) with respect to a joint diagnoser J-Diag(G) = (X, Σ a , δ a , x 0 ) is defined as SJ-Diag(G) = Ac(X ss , Σ a , δ sa , x 0 ), where X ss = X\X we and δ sa = δ a | X ss ×Σ a →X ss .
The resulting SJD is obtained by removing all states in X we from a JD and taking its accessible part.Then, we define a subset of the states of SJ-Diag(G), called pre-empting states, which will be used in the procedure to extract an attack function from SJ-Diag(G).Definition 8. Given a JD J-Diag(G) = (X, Σ a , δ a ,x 0 ) with the corresponding SJD SJ-Diag(G)= (X ss ,Σ a ,δ sa ,x 0 ), the set of pre-empting states of SJ-Diag(G) is defined as the set of non-pre-empting states of SJ-Diag(G) is defined as X np = X ss \X p .
A state x ss ∈ X ss is pre-empting if i) there exists an event σ ∈ Σ o whose occurrence (even if erased) causes J-Diag(G) to lead outside X ss ; ii) however, σ can be definitely preempted by inserting an appropriate word of events in Σ + to reach a state in the strongly stealthy state.This state captures the races between inserted events and internal system events.Specifically, at a pre-empting state, the inserted word must be performed before the execution of event σ.In Example 2, state ({3F}, {0N}) is a pre-empting state (highlighted in green), where event d must be pre-empted by inserting a fake event e + to reach a state ({3F}, {5N, 6N}) ∈ X ss ; otherwise, the occurrence of d ∈ Σ o \Σ era will take ({3F}, {0N}) to an exposing state ({4F}, {d ∅ }).

Synthesis of Attackers
In order to synthesize an attacker, the following definition is first required.Definition 9. Let x ss ∈ X ss be a state and X np be the set of non-pre-empting states in the SJD SJ-Diag(G) = (X ss , Σ a , δ sa , x 0 ).
(1) The set of events in Σ a enabled at x ss is defined as (2) The set of words consisting of events in Σ + that originate from x ss and lead to a non-preempting state is defined as L + (SJ-Diag(G), x ss ) = {w a,+ ∈ Σ * + | δ sa (x ss , w a,+ ) ∈ X np }.
The following objective is to show how an attacker may determine an attack function from an SJD.In [21], an algorithmic procedure is presented for this purpose.The main idea is to select attack words that do not end in any state that has an inserted event as a successor transition, of course, including the pre-empting state.Compared with [21], it is now expected to synthesize the attack function producing an attack word that only does not end in pre-empting states.This means that an attacker cannot stay in the pre-empting state when determining its attack function.Now, we provide the following attacker synthesis algorithm, i.e., Algorithm 1.

Algorithm 1 Synthesis of the corrupting function ϕ
select a word w a,+ ∈ L + (SJ-Diag(G), x 0 ) 5: ξ(w) := w a,+ ; ϕ(w) := P(ξ(w)) 6: x ss := δ sa (x 0 , w a,+ ) while a new observable event σ ∈ Σ o is produced by G do 8: select an event σ ′ ∈ I and a word w a,+ ∈ L + (SJ-Diag(G), δ sa (x ss , σ ′ )) 12: let w a := σ ′ w a,+ and w ′ a ∈ {σ ′ , w a } 13: let x ss := δ sa (x ss , σ ′ ) 14: if x ss ∈ X np then ξ(wσ) ∈ ξ(w)w ′ a and x ss := δ sa (x ss , w ′ a ) 15: if x ss ∈ X p then ξ(wσ) := ξ(w)w a and x ss := δ sa (x ss , w a ) 16: ϕ(wσ) := P(ξ(wσ)) 17: w ← wσ 18: end while 19: end procedure This algorithm may recursively associate each observation generated by G with a corresponding attack word.We now briefly explain how it works.When no event is generated by G, the attacker may insert a suitable word w a,+ in the set L + (SJ-Diag(G), x 0 ) (Steps 3 and 4).In Step 5, ξ(ε) is computed, and the new current state x ss of SJ-Diag(G) is updated.Then, we wait for G to generate a new observable event σ (Step 7).A new set I initialized at the empty set is defined.If σ is enabled at x ss , σ is added to I. If σ − is enabled at x ss , σ − is added to I (Steps 8 to 10).In Step 11, an event σ ′ ∈ I and the insertion of a word w a,+ ∈ L + (SJ-Diag(G), δ sa (x ss , σ ′ )) are selected.If the current state x ss with the occurrence of σ ′ is a non-pre-empting state, an attack word w ′ a is produced, which is either σ ′ or the concatenation of σ ′ and w a,+ ∈ L + (SJ-Diag(G), δ sa (x ss , σ ′ )) (Step 14).Otherwise, another attack word w a is produced as the concatenation of σ ′ and w a,+ (Step 15).The corresponding corrupting function is computed in Step 16.Step 17 updates the observation w to wσ.This procedure goes to Step 7 when a new observable event is generated by G. Proposition 3. Given a plant G, function ϕ is stealthy if and only if, for all w ∈ P(L(G)), the corrupted observation ϕ(w) can be computed by Algorithm 1.
According to the property of the SJD, the above results trivially hold, which means that the corrupting function synthesized by Algorithm 1 must be stealthy.Using the notion of pre-empting states, we provide a characterization of the SJD as follows.
Since ξ(w) is computed by selecting w a , which ends in x ss , by Algorithm 1, x ss ∈ X np .
According to the above result, a state pair x ss = (q d , q d ) in the joint diagnoser reached by an attack word w a represents the joint diagnosis state estimation, where q d describes the original diagnosis state estimation of the attacker based on the original observation w, where w a = ξ(w), and q d describes the corrupted diagnosis state estimation of the operator based on the corrupted observation w ′ = P(w a ).
Finally, we conclude this section by the complexity analysis of the proposed approach.Let Diag(G) be a nominal diagnoser with |Q d | states.By construction, the attacker diagnoser Diag att (G) has the same set of states of Diag(G), and so does the operator diagnoser Diag opr (G) except for the dump state d ∅ .Since the JD J-Diag(G) is the parallel composition of Diag att (G) and Diag att (G), its maximum number of states is |Q d | × |Q d + 1|.Hence, the complexity of building an SJD is O(|Q d | 2 ), which is polynomial in the number of states of the nominal diagnoser.However, it is well known that the construction of the diagnoser is worst-case exponential in the number of states in the system.Hence, the overall computational complexity of an SJD is exponential in the number of states of G.

Fault Diagnoisis under Attack
We first address Problem 1, i.e., online fault diagnosis under attack.Similar to the nominal setting, we begin with the definition of a diagnosis function pair.From the definitions of γ att and γ opr , it holds that r(w a ) = (γ att (w a ), γ opr (w a )) = (γ(w), γ(w ′ )), where w a = ξ(w) and w ′ = P(w a ).A more systematic way to compute the diagnosis pair function is by using an SJD.Let x ss = (q d , q d ) = δ sa (x 0 , w a ).By Theorem 1, the SJD allows one to associate every state to a diagnosis state pair r(x ss ) = r(w a ), i.e., γ(q d ) = γ(w) and γ(q d ) = γ(w ′ ) are the diagnosis state of the attacker and operator, respectively.Therefore, Problem 1 can be solved by tracking the current state in SJD reached by the attack word w a .The set of all diagnosis state pairs is defined as R = {N, F, U} × {N, F, U}, which can be partitioned into R = R c ∪ R w ∪ R h , where R c = {(N, N), (U, U), (F, F)}, R w = {(N, U), (N, F), (U, N), (U, F)}, and R h = {(F, N), (F, U)}.Definition 11.Let SJ-Diag(G) be an SJD.A state x ss is correct if r(x ss ) ∈ R c ; wrong nonharmful if r(x ss ) ∈ R w ; harmful if r(x ss ) ∈ R h .Denote the set of correct states, the set of wrong non-harmful states, and the set of harmful states by X sc , X sw , and X sh , respectively.
When the SJD is in a correct state, the operator correctly computes the diagnosis state regardless of the fact that an attack has occurred.When the SJD reaches a wrong non-harmful state, the operator computes a wrong diagnosis state from the corrupted observation due to an attack, which is inconsistent with the diagnosis state based on the original observation.Note that, in such a case, the fault diagnosis is manipulated due to the attack but does not pose a harmful danger.For example, there exists a special case where an attacker induces the operator to think that a fault has occurred, while the system is actually under nominal behavior.The false positive may make the operator decide to take some unnecessary actions, e.g., shut down the system and start it again, which may increase the operational expenses of operating a system.
Finally, harmful states of the SJD correspond to the detection of a fault based on the original observation, while no detection is based on corrupted observation.Its physical interpretation is that the attacker itself has already confirmed that the fault has occurred, but it induces the operator to be unable to claim the fault occurrence.

Verification of Successful Attackers
As discussed above, it is intuitive that the presence of a harmful state in the SJD is related to Problem 2, the existence of a successful attacker.
Theorem 2. Given a plant G, there exists a successful attacker if and only if the SJD SJ-Diag(G) contains a harmful state, i.e., X sh ̸ = ∅.
Example 3. Let us continue with Example 2. After refining, the SJD is shown in Figure 6.Let w a,1 = a − e + be an attack word that yields the wrong non-harmful state ({1N, 2F}, {5N, 6N}).This implies that the diagnosis state of the attacker based on w = a is "U" while the diagnosis state of the operator based on w ′ = e is "N".At this point, the attacker has doubted if the fault has occurred or not; however, the operator is certain that the fault has not occurred.
Let the evolution continue.Another word w a,2 = a − e + b − d yields a harmful state ({4F}, {7N}) in SJ-Diag(G).By Theorem 2, there exists a successful attacker for G that produces the attack word w a,2 = a − e + b − d.At this point, the attacker is certain that the fault has occurred based on w = abd; however, based on the corrupted observation w ′ = ed, the operator persists in its opinion that the fault has not occurred.

Synthesis of Successful Attackers
We first provide the following proposition to ensure that a successful attacker can be synthesized from the SJD.Proposition 4. Let G be a plant and SJ-Diag(G) = (X ss , Σ a , δ sa , x 0 ) be the SJD.A successful corrupting function ϕ can be computed if and only if X sh ∩ X np ̸ = ∅.
(Only if) Suppose that ϕ is a successful corrupting function that can be computed.Since function ϕ is stealthy, by Algorithm 1 and Proposition 3, the attack word w a = ξ(w) does not end in a pre-empting state of SJ-Diag(G), i.e., x ss = δ sa (x 0 , ξ(w)) ∈ X np .On the other hand, as function ϕ is harmful, according to Definition 3, there exists an observation w ∈ P(L(G)) that can be changed into an observation w ′ = ϕ(w) ∈ P(L(G)), and (γ(w), γ(w ′ )) ∈ {(F, N), (F, U)}.By w, w ′ ∈ P(L(G)), it holds that δ d (q d,0 , w) = q d and δ d (q d,0 , w ′ ) = q d .Since SJ-Diag(G) contains all possible stealthy attacks, by Theorem 1, there must exist a state x ss = (q d , q d ) in SJ-Diag(G) with the occurrence of w a = ξ(w) such that δ d (q d,0 , w) = q d and δ d (q d,0 , w ′ ) = q d .By r(x ss ) = r(w a ) = (γ att (w a ), γ opr (w a )) = (γ(w), γ(w ′ )) ∈ {(F, N), (F, U)}, i.e., r(x ss ) ∈ R h , we see that the state r ss is harmful.It holds that x ss ∈ X sh ∩ X np , i.e., X sh ∩ X np ̸ = ∅.This proposition implies that, from the synthesis viewpoint, only a successful attacker that determines an attack word yielding a non-pre-empting harmful state can make sense.We now give Algorithm 2 to synthesize a successful attacker from an SJD.In Algorithm 2, the condition x ss ∈ X sh ∩ X np (Step 3) for selecting a state r guarantees the harmfulness of the stealthy corrupting function synthesized by Algorithm 1.The key point is that the attack word a − b − is not selected in the synthesis procedure, i.e., it holds that ξ(ab) = a − b − e + rather than ξ(ab) = a − b − .This means that the attacker implements its attacks by first erasing the occurrence of event a, then erasing event b, and finally inserting e + while observing abd.

Figure 1 .
Figure 1.Fault diagnosis architecture under attack.To make the architecture more illustrative, different components are represented by different colors.

Figure 3 .
Figure 3.A fault diagnosis system under attack.

Definition 10 .
Given an attack word w a , a diagnosis pair function r : Σ * a → {N, F, U} × {N, F, U} associating to w a ∈ Σ * a a diagnosis state pair is defined as r(w a ) = (γ att (w a ), γ opr (w a )), where γ att and γ opr are the attacker and operator diagnosis functions, respectively.

Table 1 .
Comparison of related works, where the "✓" symbol indicates the selection of an option.